What are the measures implemented by Owkin and its partners to ensure the security of the processing of patient data?
When conducting its research project, Owkin and its partners, both acting as independent controllers, commits to the following:
Non-direct identifying information
Owkin and its partners only use patient’s personal data that has been pseudonymized or de-identified before they access it. Except for specific cases, like quality control as allowed by applicable laws and regulations, Owkin and its partners never access information that could directly identify the patients. Each patient’s data is assigned a code, and only Owkin Network members who provide the data keep a record linking this code to the patient’s identity in their own healthcare databases. As a result, the data shared with Owkin and its partners does not contain any information that could directly reveal a patient’s identity.
Data privacy compliance
Owkin and its partners are committed to processing personal data — especially sensitive information like health data — in line with all applicable laws and regulations. Because Owkin is a French-American based company, it follows French data protection laws, which are among the strictest in the European Union when it comes to protecting individuals’ rights.
International transfer of data
Owkin uses cloud service providers with servers located in the same region as the region as its research partners providing access to the data is established. For example, data from European centers is stored in Europe by providers certified under the French health data hosting standard (HDS), while data from North Americans centers is mainly stored in North America.
Furthermore, when technically possible, Owkin encourages the processing of European citizens’ data by its employees, affiliates, partners and service providers, located in the European Economic Area. However, if for the needs of their research activities, Owkin and/or its partners has to transfer data of European patients (including British and/or Switzerland), to partners, service providers and/or Owkin’ affiliates established outside of Europe, Owkin will ensure that adequate and appropriate safeguards are implemented, as required by the GDPR, the UK Data Protection Act and the Swiss Data Protection Act when applicable. For example, this could be done by entering into standard contractual clauses approved by the European Commission, as well as the specific clauses approved by the UK Information Commissioner Office and/or the Swiss Federal Data Protection and Information Commissioner when applicable. For more detailed information on the safeguards, patients can contact Owkin’s data protection officer with the details provided below.
Ethical and scientific validation
Owkin and its partners ensure their research projects are aligned with the relevant ethical and scientific standards. When required by the applicable laws and regulations, the scientific protocols are evaluated by local ethical committees.
Privacy by design
As part of its research activities, Owkin adheres to the “Privacy by Design” principle from the earliest stages of its technologies development. Aware of the sensitive nature of personal data - particularly health data - Owkin adopts a proactive approach to ensure that privacy protection is embedded throughout the entire lifecycle of its technologies, from design to deployment. Data processing is limited to what is strictly necessary, secured through robust technical and organizational measures (such as encryption, pseudonymization, and access control), and supported by clear and transparent documentation. This approach ensures sustained compliance with the GDPR while reinforcing the trust of healthcare professionals and patients alike.